[Spice-devel,v3,1/2] server/red_parse_qxl: disallow zero area bitmaps

Submitted by Alon Levy on July 22, 2012, 10:04 a.m.

Details

Message ID 1342951460-21744-1-git-send-email-alevy@redhat.com
State New
Headers show

Not browsing as part of any series.

Commit Message

Alon Levy July 22, 2012, 10:04 a.m.
prevents division by zero later (SIGFPE, Arithmetic exception) in
spice-common code, at spice-common/common/canvas_base.c:646
for both client and server (server only upon rendering).
---
 server/red_parse_qxl.c |    4 ++++
 1 file changed, 4 insertions(+)

Patch hide | download patch | download mbox

diff --git a/server/red_parse_qxl.c b/server/red_parse_qxl.c
index daae897..00cc534 100644
--- a/server/red_parse_qxl.c
+++ b/server/red_parse_qxl.c
@@ -371,6 +371,10 @@  static SpiceImage *red_get_image(RedMemSlotInfo *slots, int group_id,
                           red->u.bitmap.format);
             return NULL;
         }
+        if (qxl->bitmap.x == 0 || qxl->bitmap.y == 0) {
+            spice_warning("guest error: zero area bitmap\n");
+            return NULL;
+        }
         qxl_flags = qxl->bitmap.flags;
         if (qxl_flags & QXL_BITMAP_TOP_DOWN) {
             red->u.bitmap.flags = SPICE_BITMAP_FLAGS_TOP_DOWN;

Comments

Hi,
On 07/22/2012 01:04 PM, Alon Levy wrote:
> prevents division by zero later (SIGFPE, Arithmetic exception) in
> spice-common code, at spice-common/common/canvas_base.c:646
> for both client and server (server only upon rendering).
> ---
>   server/red_parse_qxl.c |    4 ++++
>   1 file changed, 4 insertions(+)
>
> diff --git a/server/red_parse_qxl.c b/server/red_parse_qxl.c
> index daae897..00cc534 100644
> --- a/server/red_parse_qxl.c
> +++ b/server/red_parse_qxl.c
> @@ -371,6 +371,10 @@ static SpiceImage *red_get_image(RedMemSlotInfo *slots, int group_id,
>                             red->u.bitmap.format);
>               return NULL;
>           }
> +        if (qxl->bitmap.x == 0 || qxl->bitmap.y == 0) {
> +            spice_warning("guest error: zero area bitmap\n");
> +            return NULL;
> +        }
>           qxl_flags = qxl->bitmap.flags;
>           if (qxl_flags&  QXL_BITMAP_TOP_DOWN) {
>               red->u.bitmap.flags = SPICE_BITMAP_FLAGS_TOP_DOWN;

Looks like this routine suffers from a leak of SpiceImage
see "red = spice_new0(SpiceImage, 1);|

goto some cleanup section before returning NULL.

Cheers,
Yonit.